Our platinum partner axl & trax published a nice case study how the French Blood Service l"Etablissement Français du Sang (EFS) used CSI tools to audit and rework its role design into a new role concept.
Our platinum partner axl & trax published a nice case study how the French Blood Service l"Etablissement Français du Sang (EFS) used CSI tools to audit and rework its role design into a new role concept.
"The mission objective was not only to strengthen the existing status, but also to prepare for the future. Therefore, axl & trax presented the tool CSI Authorization Auditor (AA), which was used to deliver the first analyses. “This tool helps to identify the risk levels. It also allows us to link compliancy rules (type SOx and others) with the authorizations in SAP,” states Nicolas Merlière.
For EFS, who wished to approach the standard, this solution also allowed the implementation of normalized rules, categorized by importance, while incorporating these rules. “This way, we were better equipped to identify the conflicts, allowing us to make a systemic analysis with a solid tool while, among other things, taking the authorization objects into account. Therefore, we reinforce the separation of duties while securing our processes”, adds Jean-Nicolas Maupain. The CSI AA tool also contributed to strengthen the implementation of a continuous monitoring system within the heart of the organization, for which it heavily relies on the tool."
(...)
"Another point of improvement concerns the roles linked to the SAP portal, which were initially designed separated from the roles of the ECC6 system, with different user identifiers for each system. The conjunction of the two types of roles causes access anomalies which need to be fixed.
“The risks related to the SAP parameters must be taken into account as well.” Warns Nicolas Merlière. “If some element parameters are not correctly set, expert users would be able to access certain objects which they should not be able to address”. Certain support or administration roles must also be restricted, monitored and limited in time. The CSI Emergency Request tool has been acquired, since it enables us to assign such roles strictly on demand while tracing all performed actions."
Read the full article at axl-trax.com
Freely translated from its first publication in USFmag #28 of October 2015 in French, magazine trimestriel / Octobre 2015 in context of the USF 2015 Convention, titled «Changement de paradigme: vers une séparation effective des habilitations à l'EFS".